ACPO non-compliance...
 
Notifications
Clear all

ACPO non-compliance?

11 Posts
6 Users
0 Likes
883 Views
(@toomygun)
Posts: 2
New Member
Topic starter
 

ACPO Guide provides Forensic examiners with standards for law enforcement, But non compliance with the guide does not mean that evidence should be rejected

I have goggled but cant seem to find the answer

Does anyone know why non compliance evidence shouldn't be rejected?

 
Posted : 23/08/2014 5:39 am
(@jerryw)
Posts: 56
Trusted Member
 

Because they are guidelines are not legislation. Having said why would you not want to comply with them?

The guidelines are not prescriptive for every activity carried out in computer forensics. You are not likely to have problems if you accurately record your activities and decision-making processes.

 
Posted : 23/08/2014 1:32 pm
(@mansiu)
Posts: 83
Trusted Member
 

When you look at the actual name of ACPO guideline, it is "ACPO Good Practice Guide for Digital Evidence"

it is only "Good Practice" means it is not the gold standard or even "best practice"

 
Posted : 24/08/2014 8:12 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

When you look at the actual name of ACPO guideline, it is "ACPO Good Practice Guide for Digital Evidence"

it is only "Good Practice" means it is not the gold standard or even "best practice"

Still it is not "bad practice", and most probably it can be considered "common practice".

Like it or not, it constitutes a "reference", it is not "compulsory", but its contents do make a lot of sense.

Deviating from it is perfectly possible, as said, both in theory and in practice, point being that in practice there should be valid reasons to do something differently from what it suggests, and these reasons must be adequately explained.

More or less you will be presenting results of an investigation to someone that - often without really understanding the reasons behind the ACPO guideline suggestions - is used to have submitted results obtained through respecting those guidelines, and will likely raise his/her eyebrows if the procedure is different.

As a matter of fact, like many similar "codes of practice" the guidelines represent what experts in the field consider "common sense" applied to the specific procedures.

jaclaz

 
Posted : 24/08/2014 3:01 pm
(@bithead)
Posts: 1206
Noble Member
 

Does anyone know why non compliance evidence shouldn't be rejected?

ACPO guidelines may be, at the time of publication, best practices as decided by one community of law enforcement officers, however that does not mean that deviation from the guidelines should automatically be grounds for rejection of "non compliance evidence". If that were the case there would never be innovation. Examiners would be forced to wait until the next guidelines were released to deal with the myriad of ever changing threats, exploits, and offenses being committed.

Just a few examples
- The last sentence of Principle Three reads "An independent third party should be able to examine those processes and achieve the same result." In the instance of memory capture how would any third party be able to achieve the same result from that fleeting moment in time? Now we can look at the notes of the examiner and test their processes in a similar environment, however no one can recreate that exact situation. Does that mean the results should automatically be rejected? I think not.

- The "Crime Scenes" section of the paper still advocates powering off the device that is the subject of the examination and makes only a brief nod to live capture
"It is accepted that, depending on the particular circumstances found during a search, there may be more appropriate options available than those that follow. However, these alternative options will not be addressed in this guide, as such courses of action should only be invoked by individuals who have received appropriate training in this specialised area of work."
So because those "alternative options" are not addressed does that mean that data that is seized by those means should automatically be rejected? Again I say not.

- "Crime Scenes What Items Should Be Seized" - While reading down the list I find a bit of humor in what is and what is not listed. For example "modems" are listed twice with a particular reference to the dial-up phone numbers they contain, yet no mention of wireless access points. Why modems in particular rather than a more generic term for the devices that are used to connect to an ISP/service provider? The list includes Zip/Jaz cartridges yet from the same era Bernoulli cartridges are omitted. And the list calls out CDs and DVDs, yet Blue-ray discs are not mentioned. To me that language at best dates the guidelines and worse shows a lack of current knowledge by the authors. But would I automatically reject a piece of evidence because it is not on the list? Of course not.

All of this just reinforces that these are guidelines and nothing more. Automatically rejecting evidence because it fails to meet a criteria of these guidelines makes no sense. If an examiner cannot articulate their processes and results then that can be brought forth, but to automatically reject the evidence, sorry no.

 
Posted : 24/08/2014 10:33 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@BitHead
Which version of the ACPO guidelines are you referring to?

The one that should be "current"
http//www.digital-detective.net/acpo-good-practice-guide-for-digital-evidence/
http//www.digital-detective.net/digital-forensics-documents/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf

Seems to me like having different contents from what you cite.

jaclaz

 
Posted : 25/08/2014 12:51 am
(@toomygun)
Posts: 2
New Member
Topic starter
 

Thank you for everyone's help D

 
Posted : 25/08/2014 1:10 am
(@bithead)
Posts: 1206
Noble Member
 

@BitHead
Which version of the ACPO guidelines are you referring to?

The first hit on Google for ACPO guidelines
http//7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence_v4_web.pdf

And while I see some differences, Section 2 - The Principles of Digital Evidence 2.1.3 Principle 3 contains the same language "An independent third party should be able to examine those processes and achieve the same result."

The section on Crime Scene has changed, it now refers to a first responders guide.

However, even the minor changes do not change my assertion that these are just guidelines and that a failure to follow them to the letter should not require "non compliance evidence" to automatically be rejected.

 
Posted : 25/08/2014 2:27 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

However, even the minor changes do not change my assertion that these are just guidelines and that a failure to follow them to the letter should not require "non compliance evidence" to automatically be rejected.

Sure it does not change at all the assertion, nor it's validity ) , but we were talking of different versions, you were citing version 4, while I was reading version 5, and there is not any trace in the "current" version AFAICS about Jaz/Zip's not the accent on dial-up modems you cited.

About principle 3

Principle 3 An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Possibly I am mistaken, but I read it as posing the accent on repeatability of the processes applied, i.e. about the need of using (validated and) repeatable processes.

jaclaz

 
Posted : 25/08/2014 1:57 pm
binarybod
(@binarybod)
Posts: 272
Reputable Member
 

In England and Wales, non-compliance with any authoritative guidelines or legal codes of practice in criminal law are dealt with under Section 78(1) of the Police and Criminal Evidence Act 1984 which states

78 Exclusion of unfair evidence.

(1) In any proceedings the court may refuse to allow evidence on which the prosecution proposes to rely to be given if it appears to the court that, having regard to all the circumstances, including the circumstances in which the evidence was obtained, the admission of the evidence would have such an adverse effect on the fairness of the proceedings that the court ought not to admit it.

Seems pretty straight forward.

I was taught that this was a balance between the probative value of a piece of evidence and it's prejudicial value, a subjective decision on the part of the presiding judge. If you want to stay on the right side of the decision, then conform to the guidelines UNLESS there is a good and sufficient reason for not doing so (and the ACPO guidance covers many scenarios that may be encountered). Any deviation must be fair to any suspects.

 
Posted : 28/08/2014 3:35 pm
Page 1 / 2
Share: